The rules around the merger of personally identifiable information (PII) with ad-serving data are perhaps the most oft-referenced privacy rules in ad tech. Over the past 15 years, if you asked any ad tech CEO about privacy, the first words out of his or her mouth would have been: “We don’t collect PII.”

Even where senior execs didn’t know much about digital privacy, the one thing all of them did know is that PII was the third rail of digital privacy. As a result, the mere appearance of touching PII has been a non-starter in ad tech for as long as anyone can remember.

When DoubleClick bought Abacus Direct back in 1999, many worried it would combine Abacus’ personal information with DoubleClick’s online browsing data. Many things drove the reaction to the privacy scandal – not the least of which was an emotional response. Advocates lamented that DoubleClick/Abacus was creating a “surveillance database of Orwellian proportions,” and a constant stream of criticism rained down on DoubleClick for months. Collectively, advocates, regulators and the press drew a line in the sand indicating that ad networks must be kept as far away from the personally identifiable as possible.

Yet during the past 15 years, companies in the digital media marketplace continued to inch closer to PII. This begs the question: Has time softened the perspective of advocates and regulators? One thing is clear: Marketplace growth has clearly outpaced anything DoubleClick may have been contemplating.

By today’s standards, the scope and scale of information collected by DoubleClick during the Abacus acquisition seems almost quaint; I’m certainly not the first person to make this observation. Heck, even Merkle’s new deal with News Corp. will impact more consumers and serve more ads than DoubleClick/Abacus ever did.

In light of all this, why is the ad tech community clinging to these rules? Is there either a business or privacy advantage to maintaining the current pseudonymous data approach? (Some background is available here.)

Moving To An IOT-Enabled World

The Internet of Things (IoT) will exponentially increase the amount of digital data collected through watches, fitness devices, thermostats, automobiles, major appliances and dozens of other things that we haven’t even thought of yet. Marketers will need to be able to structure all of this data if they want to draw user-centric insights. As of today, there are really only two viable paths to structure IoT data.

Marketers could take a platform approach using pseudonymous identifiers. This is the approach currently utilized widely in mobile advertising and relies on a pseudonymous ID provided by the mobile operating systems. In an IoT-enabled world, an identifier could be provided by an OS, wireless carrier, browser and a social networking platform.

Marketers could also take a PII approach, which is practiced by many retailers that use customers’ email address or telephone number to tie all of this information together.

The platform approach works relatively well where the advertiser wants to understand what a particular piece of media cost, how many impressions it generated and what the audience looks like. But most platforms don’t allow third-party verification of their numbers or enable advertisers to understand the impact of cross-platform advertising. Answering simple questions such as, “How do users respond when they’ve seen my ad twice on Facebook and twice more on YouTube?” is nearly impossible with a platform approach.

As the number of customer touch points increases exponentially in an IOT-enabled world, advertisers are incented to move away from the platform approach, which they don’t control, to a PII approach, which they can control.

The Privacy Argument

I’m sure the mere mention of merging PII with digital data bits will give many privacy professionals fits. Nonetheless, the current regulatory climates in the EU and US aren’t currently focused on reigning in PII merger practices.

The European Union arguably has the world’s strictest privacy rules. Over the past several years, EU policymakers have grown increasingly reticent to draw distinctions between personal data and pseudonymous data. There are many different things at play in the EU as we head into 2016, and the EU’s knee-jerk response to every privacy problem boils down to one word: consent.

In the US, it’s worth noting that in the 15 years since the DoubleClick Abacus scandal the Federal Trade Commission (FTC) has publicly said little about merger of PII with ad-serving data. If anything, the FTC has seemingly shifted its focus away from the merger of PII with online profiling information. In 2010, it acknowledged that the “distinction between PII and non-PII continues to lose significance.” And there’s no mention of PII merger concerns in the recent FTC IoT staff report (PDF).

More Questions Than Answers

Facebook and Twitter have used email as a targeting ID both on and off their respective platforms for some time now, with nary a peep from the FTC.

If those entities are tacitly allowed to do that, is it a big deal for Merkle to use PII to target ads within the four corners of News Corp. sites? What are the distinctions we’re drawing as we head into 2016? Are larger entities really “more privacy protective because it’s all within one company” or are there other considerations?

In other words, what is the current rationale for the distinctions that are being drawn today?

To be clear, I’m not advocating any policy in particular. I’m simply noting that the industry came together and created a set of rules in 2000. And since that time, the industry has changed drastically – heck the whole world has changed. Given all this transition, it’s worth asking whether some of these old rules still make sense.

2 Comments

I was there at ground zero in '99 in NYC with DoubleClick when the controversy erupted. 15 years on and from the perspective of regulators, the sell side and users, I have grown accustomed to hearing "we don't use/merge PII data" in almost robotic tone, sometimes with comedy effect. It's become the digital marketing equivalent of "I was only following orders" or "I did not inhale"

What HAS changed is that the targets have become more diffuse and complex for those who might wish to complain or regulate, and the reason the conversation has moved towards consent is because this thankfully remains a simple concept with is hard to cheat. It either exists, or it does not. I personally combine this with the Creepy Test. Would a user be surprised / creeped out to learn where their data, or elements of it have ended up?

My day job involves helping publishers to collect permission based first-party registration data, much of it from social login. Confusion often arises when they are using ad tech to monetise this data. Often logged in users consume 3x more page impressions and the ads can be direct sold against this data at 3x CPM and 3x yield. That can mean that a site with 15% registration can have 50% of ads targeted against 1st party data, and 80% + revenues coming from non-programmatic. My real challenge, frankly, is persuading them to put their shoulder behind moving this inventory themselves instead of dumping it to secondary RTB channels and partners.

Since most of them also use a DMP to sift for value I conducted a straw poll of providers, in an attempt to understand which of them would respect the consent to use the data on the publishers site(s) only.

With the exception of one provider who saw value in this promise, the rest changed the subject or stared awkwardly at their shoes while mumbling "We do not use/merge PII".

I agree that PII is ill-defined. But I've yet to see an honest way around consent. There is no PII or non-PII in my brave new world. There is just user data and consent. If you are a publisher or site being bamboozled by justifications to the contrary, then maybe a good place to start is to audit how and to whom user data is leaving you site. Does it pass your own creepy test?

Alan, I would suggest looking at one emerging trend combining PII and consent in the retail segment, Intelligent Triggered Alerting. What that means is e-commerce product pages offering a new 'action' other than Add To Cart. It might say 'Get Alerts' and offer shoppers the ability to leave their email address (no other registration) and give their consent for specific criteria to trigger email or SMS alerts to them, such as price drops, new items added by the brands, new reviews, back-in-stock, other. I call this Permission Marketing at scale, and we are seeing several of the top 20 retailers heading in this direction. They've long known that they average less than a 2% conversion on product page views, yet they've never really been 'customer-centric' in simply asking page viewers for consent to market to them after they leave the site.